jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1440540 [1/2] - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/core/ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorizati...
Date Wed, 30 Jan 2013 17:33:37 GMT
Author: angela
Date: Wed Jan 30 17:33:37 2013
New Revision: 1440540

URL: http://svn.apache.org/viewvc?rev=1440540&view=rev
Log:
OAK-51 : Access Control Management (WIP)

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java
      - copied, changed from r1439952, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java
      - copied, changed from r1439952, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AllPermissions.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
      - copied, changed from r1440499, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java
      - copied, changed from r1439952, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompiledPermissions.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenPermissionProvider.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/core/ReadOnlyTreeTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissionsTest.java
      - copied, changed from r1439952, jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AllPermissionsTest.java
Removed:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AllPermissions.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompiledPermissions.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImplTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AllPermissionsTest.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ReadOnlyTree.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlImporter.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/ImmutableACL.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/PermissionProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/Permissions.java
    jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ReadOnlyTree.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ReadOnlyTree.java?rev=1440540&r1=1440539&r2=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ReadOnlyTree.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/ReadOnlyTree.java Wed Jan 30 17:33:37 2013
@@ -19,8 +19,11 @@
 package org.apache.jackrabbit.oak.core;
 
 import java.util.Iterator;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 
 import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.api.TreeLocation;
 import org.apache.jackrabbit.oak.api.Type;
@@ -33,26 +36,69 @@ import static com.google.common.base.Pre
 
 public class ReadOnlyTree implements Tree {
 
-    /** Parent of this tree, {@code null} for the root */
+    /**
+     * Parent of this tree, {@code null} for the root
+     */
     private final ReadOnlyTree parent;
 
-    /** Name of this tree */
+    /**
+     * Name of this tree
+     */
     private final String name;
 
-    /** Underlying node state */
+    /**
+     * Path of this tree
+     */
+    private final String path;
+
+    /**
+     * Underlying node state
+     */
     private final NodeState state;
 
-    public ReadOnlyTree(NodeState root) {
-        this(null, "", root);
+    public ReadOnlyTree(NodeState rootState) {
+        this(null, "", rootState);
     }
 
-    public ReadOnlyTree(ReadOnlyTree parent, String name, NodeState state) {
+    public ReadOnlyTree(@Nullable ReadOnlyTree parent, @Nonnull String name, @Nonnull NodeState state) {
         this.parent = parent;
         this.name = checkNotNull(name);
+        this.path = buildPath(parent, name);
         this.state = checkNotNull(state);
         checkArgument(!name.isEmpty() || parent == null);
     }
 
+    private static String buildPath(ReadOnlyTree parent, String name) {
+        if (parent == null) {
+            return "/";
+        } else if (parent.isRoot()) {
+            return parent.path + name;
+        } else {
+            StringBuilder sb = new StringBuilder();
+            sb.append(parent.path).append('/').append(name);
+            return sb.toString();
+        }
+    }
+
+    public static ReadOnlyTree createFromRoot(Root root) {
+        if (root instanceof RootImpl) {
+            return new ReadOnlyTree(((RootImpl) root).getBaseState());
+        } else {
+            throw new IllegalArgumentException("Unsupported Root implementation.");
+        }
+    }
+
+    public static ReadOnlyTree createFromRootTree(Tree rootTree) {
+        if (rootTree instanceof ReadOnlyTree) {
+            return (ReadOnlyTree) rootTree;
+        } else if (rootTree instanceof TreeImpl) {
+            TreeImpl impl = (TreeImpl) rootTree;
+            return new ReadOnlyTree(null, "", impl.getNodeState());
+        } else {
+            throw new IllegalArgumentException("Unsupported Tree implementation");
+        }
+    }
+
     @Override
     public String getName() {
         return name;
@@ -65,21 +111,7 @@ public class ReadOnlyTree implements Tre
 
     @Override
     public String getPath() {
-        if (isRoot()) {
-            // shortcut
-            return "/";
-        }
-
-        StringBuilder sb = new StringBuilder();
-        buildPath(sb);
-        return sb.toString();
-    }
-
-    private void buildPath(StringBuilder sb) {
-        if (!isRoot()) {
-            parent.buildPath(sb);
-            sb.append('/').append(name);
-        }
+        return path;
     }
 
     @Override
@@ -149,8 +181,9 @@ public class ReadOnlyTree implements Tre
     /**
      * This implementation does not respect ordered child nodes, but always
      * returns them in some implementation specific order.
-     *
+     * <p/>
      * TODO: respect orderable children (needed?)
+     *
      * @return the children.
      */
     @Override
@@ -165,6 +198,7 @@ public class ReadOnlyTree implements Tre
                     public boolean hasNext() {
                         return iterator.hasNext();
                     }
+
                     @Override
                     public Tree next() {
                         ChildNodeEntry entry = iterator.next();
@@ -172,6 +206,7 @@ public class ReadOnlyTree implements Tre
                                 ReadOnlyTree.this,
                                 entry.getName(), entry.getNodeState());
                     }
+
                     @Override
                     public void remove() {
                         throw new UnsupportedOperationException();

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java?rev=1440540&r1=1440539&r2=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java Wed Jan 30 17:33:37 2013
@@ -23,7 +23,6 @@ import java.io.InputStream;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.Collections;
-
 import javax.annotation.Nonnull;
 import javax.security.auth.Subject;
 
@@ -33,7 +32,6 @@ import org.apache.jackrabbit.oak.api.Com
 import org.apache.jackrabbit.oak.api.QueryEngine;
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.TreeLocation;
-import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.plugins.commit.DefaultConflictHandler;
 import org.apache.jackrabbit.oak.plugins.index.diffindex.UUIDDiffIndexProviderWrapper;
 import org.apache.jackrabbit.oak.query.QueryEngineImpl;
@@ -42,8 +40,8 @@ import org.apache.jackrabbit.oak.spi.obs
 import org.apache.jackrabbit.oak.spi.query.CompositeQueryIndexProvider;
 import org.apache.jackrabbit.oak.spi.query.QueryIndexProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
-import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
 import org.apache.jackrabbit.oak.spi.security.authorization.OpenAccessControlConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
 import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
 import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
@@ -63,7 +61,9 @@ public class RootImpl implements Root {
      */
     private static final int PURGE_LIMIT = 100;
 
-    /** The underlying store to which this root belongs */
+    /**
+     * The underlying store to which this root belongs
+     */
     private final NodeStore store;
 
     private final Subject subject;
@@ -73,10 +73,14 @@ public class RootImpl implements Root {
      */
     private final AccessControlConfiguration accConfiguration;
 
-    /** Current branch this root operates on */
+    /**
+     * Current branch this root operates on
+     */
     private NodeStoreBranch branch;
 
-    /** Current root {@code Tree} */
+    /**
+     * Current root {@code Tree}
+     */
     private TreeImpl rootTree;
 
     /**
@@ -92,11 +96,11 @@ public class RootImpl implements Root {
     /**
      * New instance bases on a given {@link NodeStore} and a workspace
      *
-     * @param store         node store
-     * @param workspaceName name of the workspace
-     * @param subject       the subject.
-     * @param accConfiguration   the access control context provider.
-     * @param indexProvider the query index provider.
+     * @param store            node store
+     * @param workspaceName    name of the workspace
+     * @param subject          the subject.
+     * @param accConfiguration the access control context provider.
+     * @param indexProvider    the query index provider.
      */
     @SuppressWarnings("UnusedParameters")
     public RootImpl(NodeStore store,
@@ -236,16 +240,16 @@ public class RootImpl implements Root {
         purgePendingChanges();
         CommitFailedException exception = Subject.doAs(
                 getCombinedSubject(), new PrivilegedAction<CommitFailedException>() {
-                    @Override
-                    public CommitFailedException run() {
-                        try {
-                            branch.merge();
-                            return null;
-                        } catch (CommitFailedException e) {
-                            return e;
-                        }
-                    }
-                });
+            @Override
+            public CommitFailedException run() {
+                try {
+                    branch.merge();
+                    return null;
+                } catch (CommitFailedException e) {
+                    return e;
+                }
+            }
+        });
         if (exception != null) {
             throw exception;
         }
@@ -257,8 +261,7 @@ public class RootImpl implements Root {
         Subject accSubject = Subject.getSubject(AccessController.getContext());
         if (accSubject == null) {
             return subject;
-        }
-        else {
+        } else {
             Subject combinedSubject = new Subject(false,
                     subject.getPrincipals(), subject.getPublicCredentials(), subject.getPrivateCredentials());
             combinedSubject.getPrincipals().addAll(accSubject.getPrincipals());
@@ -333,6 +336,7 @@ public class RootImpl implements Root {
 
     /**
      * Returns the node state from which the current branch was created.
+     *
      * @return base node state
      */
     @Nonnull
@@ -352,8 +356,8 @@ public class RootImpl implements Root {
         }
     }
 
-    CompiledPermissions getPermissions() {
-        return accConfiguration.getPermissionProvider(NamePathMapper.DEFAULT).getCompiledPermissions(store, subject.getPrincipals());
+    PermissionProvider getPermissionProvider() {
+        return accConfiguration.getPermissionProvider(this, subject.getPrincipals());
     }
 
     //------------------------------------------------------------< private >---

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java?rev=1440540&r1=1440539&r2=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/TreeImpl.java Wed Jan 30 17:33:37 2013
@@ -48,19 +48,29 @@ import static org.apache.jackrabbit.oak.
 
 public class TreeImpl implements Tree {
 
-    /** Internal and hidden property that contains the child order */
+    /**
+     * Internal and hidden property that contains the child order
+     */
     static final String OAK_CHILD_ORDER = ":childOrder";
 
-    /** Underlying {@code Root} of this {@code Tree} instance */
+    /**
+     * Underlying {@code Root} of this {@code Tree} instance
+     */
     private final RootImpl root;
 
-    /** Parent of this tree. Null for the root. */
+    /**
+     * Parent of this tree. Null for the root.
+     */
     private TreeImpl parent;
 
-    /** Name of this tree */
+    /**
+     * Name of this tree
+     */
     private String name;
 
-    /** Lazily initialised {@code NodeBuilder} for the underlying node state */
+    /**
+     * Lazily initialised {@code NodeBuilder} for the underlying node state
+     */
     NodeBuilder nodeBuilder;
 
     private TreeImpl(RootImpl root, TreeImpl parent, String name) {
@@ -405,8 +415,8 @@ public class TreeImpl implements Tree {
 
         NodeState parentBaseState = parent.getBaseState();
         return parentBaseState == null
-            ? null
-            : parentBaseState.getChildNode(name);
+                ? null
+                : parentBaseState.getChildNode(name);
     }
 
     @Nonnull
@@ -423,8 +433,8 @@ public class TreeImpl implements Tree {
      * Move this tree to the parent at {@code destParent} with the new name
      * {@code destName}.
      *
-     * @param destParent  new parent for this tree
-     * @param destName  new name for this tree
+     * @param destParent new parent for this tree
+     * @param destName   new name for this tree
      */
     void moveTo(TreeImpl destParent, String destName) {
         if (isRemoved()) {
@@ -445,7 +455,7 @@ public class TreeImpl implements Tree {
      *
      * @param path the path to the child
      * @return a {@link Tree} instance for the child at {@code path} or
-     * {@code null} if no such tree exits or if the tree is not accessible.
+     *         {@code null} if no such tree exits or if the tree is not accessible.
      */
     @CheckForNull
     TreeImpl getTree(String path) {
@@ -488,8 +498,8 @@ public class TreeImpl implements Tree {
 
     private TreeImpl internalGetChild(String childName) {
         return getNodeBuilder().hasChildNode(childName)
-            ? new TreeImpl(root, this, childName)
-            : null;
+                ? new TreeImpl(root, this, childName)
+                : null;
     }
 
     private PropertyState internalGetProperty(String propertyName) {
@@ -506,14 +516,14 @@ public class TreeImpl implements Tree {
     private boolean canRead(Tree tree) {
         // FIXME: access control eval must have full access to the tree
         // FIXME: special handling for access control item and version content
-        return root.getPermissions().canRead(tree);
+        return root.getPermissionProvider().canRead(tree);
     }
 
     private boolean canRead(PropertyState property) {
         // FIXME: access control eval must have full access to the tree/property
         // FIXME: special handling for access control item and version content
         return (property != null)
-                && root.getPermissions().canRead(this, property)
+                && root.getPermissionProvider().canRead(this, property)
                 && !NodeStateUtils.isHidden(property.getName());
     }
 
@@ -583,8 +593,8 @@ public class TreeImpl implements Tree {
         @Override
         public TreeLocation getParent() {
             return tree.parent == null
-                ? TreeLocation.NULL
-                : new NodeLocation(tree.parent);
+                    ? TreeLocation.NULL
+                    : new NodeLocation(tree.parent);
         }
 
         @Override
@@ -607,12 +617,11 @@ public class TreeImpl implements Tree {
             PropertyState property = child.internalGetProperty(name);
             if (property != null) {
                 return new PropertyLocation(new NodeLocation(child), name);
-            }
-            else {
+            } else {
                 child = child.internalGetChild(name);
                 return child == null
-                    ? TreeLocation.NULL
-                    : new NodeLocation(child);
+                        ? TreeLocation.NULL
+                        : new NodeLocation(child);
             }
         }
 
@@ -637,8 +646,8 @@ public class TreeImpl implements Tree {
         public PropertyState getProperty() {
             PropertyState property = parentLocation.tree.internalGetProperty(name);
             return canRead(property)
-                ? property
-                : null;
+                    ? property
+                    : null;
         }
 
         @Override
@@ -648,6 +657,7 @@ public class TreeImpl implements Tree {
 
         /**
          * Set the underlying property
+         *
          * @param property The property to set
          */
         public void set(PropertyState property) {
@@ -656,7 +666,8 @@ public class TreeImpl implements Tree {
 
         /**
          * Remove the underlying property
-         * @return  {@code true} on success false otherwise
+         *
+         * @return {@code true} on success false otherwise
          */
         @Override
         public boolean remove() {

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java?rev=1440540&r1=1440539&r2=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java Wed Jan 30 17:33:37 2013
@@ -16,13 +16,16 @@
  */
 package org.apache.jackrabbit.oak.security.authorization;
 
+import java.security.Principal;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.jcr.security.AccessControlManager;
 
 import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl;
 import org.apache.jackrabbit.oak.spi.commit.CommitHook;
@@ -63,6 +66,7 @@ public class AccessControlConfigurationI
     //-----------------------------------------< AccessControlConfiguration >---
     @Override
     public AccessControlManager getAccessControlManager(Root root, NamePathMapper namePathMapper) {
+        // TODO OAK-51
         throw new UnsupportedOperationException("not yet implemented");
     }
 
@@ -74,8 +78,16 @@ public class AccessControlConfigurationI
 
     @Nonnull
     @Override
-    public PermissionProvider getPermissionProvider(NamePathMapper namePathMapper) {
-        return new PermissionProviderImpl();
+    public PermissionProvider getPermissionProvider(Root root, Set<Principal> principals) {
+        // TODO OAK-51
+        return new TmpPermissionProvider(root, principals, securityProvider);
+    }
+
+    @Nonnull
+    @Override
+    public PermissionProvider getPermissionProvider(Tree rootTree, Set<Principal> principals) {
+        // TODO OAK-51
+        return new TmpPermissionProvider(rootTree, principals, securityProvider);
     }
 
     @Nonnull
@@ -87,7 +99,7 @@ public class AccessControlConfigurationI
     @Nonnull
     @Override
     public List<CommitHook> getCommitHooks() {
-        return Collections.<CommitHook>singletonList(new AccessControlHook());
+        return Collections.<CommitHook>singletonList(new PermissionHook());
     }
 
     @Override

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java?rev=1440540&r1=1440539&r2=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java Wed Jan 30 17:33:37 2013
@@ -19,6 +19,7 @@ package org.apache.jackrabbit.oak.securi
 import java.util.Collection;
 
 import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.JcrConstants;
 
 /**
  * AccessControlConstants... TODO
@@ -31,6 +32,7 @@ public interface AccessControlConstants 
     String REP_PRINCIPAL_NAME = "rep:principalName";
     String REP_GLOB = "rep:glob";
     String REP_NODE_PATH = "rep:nodePath";
+
     /**
      * @since OAK 1.0
      */
@@ -44,11 +46,40 @@ public interface AccessControlConstants 
     String NT_REP_ACE = "rep:ACE";
     String NT_REP_GRANT_ACE = "rep:GrantACE";
     String NT_REP_DENY_ACE = "rep:DenyACE";
+
     /**
      * @since OAK 1.0
      */
     String NT_REP_RESTRICTIONS = "rep:Restrictions";
 
+    /**
+     * @since OAK 1.0
+     */
+    String NT_REP_PERMISSIONS = "rep:Permissions";
+    /**
+     * @since OAK 1.0
+     */
+    String REP_PERMISSION_STORE = "rep:permissionStore";
+    /**
+     * @since OAK 1.0
+     */
+    String PERMISSIONS_STORE_PATH = JcrConstants.JCR_SYSTEM + '/' + REP_PERMISSION_STORE;
+
+
+    /**
+     * @since OAK 1.0
+     */
+    String MIX_REP_VERSIONABLE_INFO = "rep:VersionableInfo";
+    String REP_VERSIONABLE_INFO = "rep:versionableInfo";
+    /**
+     * @since OAK 1.0
+     */
+    String REP_WORKSPACE_NAME = "rep:workspaceName";
+    /**
+     * @since OAK 1.0
+     */
+    String REP_VERSIONABLE_PATH = "rep:versionablePath";
+
     Collection<String> POLICY_NODE_NAMES = ImmutableSet.of(REP_POLICY, REP_REPO_POLICY);
 
     Collection<String> ACE_PROPERTY_NAMES = ImmutableSet.of(REP_PRINCIPAL_NAME, REP_PRIVILEGES);

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlImporter.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlImporter.java?rev=1440540&r1=1440539&r2=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlImporter.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlImporter.java Wed Jan 30 17:33:37 2013
@@ -81,7 +81,9 @@ class AccessControlImporter implements P
     //----------------------------------------------< ProtectedItemImporter >---
 
     @Override
-    public boolean init(Session session, Root root, NamePathMapper namePathMapper, boolean isWorkspaceImport, int uuidBehavior, ReferenceChangeTracker referenceTracker) {
+    public boolean init(Session session, Root root, NamePathMapper namePathMapper,
+                        boolean isWorkspaceImport, int uuidBehavior,
+                        ReferenceChangeTracker referenceTracker) {
         if (initialized) {
             throw new IllegalStateException("Already initialized");
         }
@@ -110,7 +112,7 @@ class AccessControlImporter implements P
     //----------------------------------------------< ProtectedNodeImporter >---
 
     @Override
-    public boolean start(Tree protectedParent) throws IllegalStateException, RepositoryException {
+    public boolean start(Tree protectedParent) throws RepositoryException {
         checkInitialized();
 
         // the acl node must have been added during the regular import before
@@ -208,7 +210,7 @@ class AccessControlImporter implements P
     @CheckForNull
     private JackrabbitAccessControlList getACL(String path) throws RepositoryException {
         JackrabbitAccessControlList acl = null;
-        for (AccessControlPolicy p: acMgr.getPolicies(path)) {
+        for (AccessControlPolicy p : acMgr.getPolicies(path)) {
             if (p instanceof JackrabbitAccessControlList) {
                 acl = (JackrabbitAccessControlList) p;
                 break;

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1440540&r1=1440539&r2=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Wed Jan 30 17:33:37 2013
@@ -16,6 +16,7 @@
  */
 package org.apache.jackrabbit.oak.security.authorization;
 
+import java.security.AccessController;
 import java.security.Principal;
 import java.text.ParseException;
 import java.util.ArrayList;
@@ -35,6 +36,7 @@ import javax.jcr.security.AccessControlL
 import javax.jcr.security.AccessControlPolicy;
 import javax.jcr.security.AccessControlPolicyIterator;
 import javax.jcr.security.Privilege;
+import javax.security.auth.Subject;
 
 import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
@@ -62,7 +64,9 @@ import org.apache.jackrabbit.oak.securit
 import org.apache.jackrabbit.oak.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.ACE;
+import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
 import org.apache.jackrabbit.oak.spi.security.authorization.ImmutableACL;
+import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
 import org.apache.jackrabbit.oak.spi.state.PropertyBuilder;
@@ -83,9 +87,11 @@ public class AccessControlManagerImpl im
 
     private final Root root;
     private final NamePathMapper namePathMapper;
+    private final AccessControlConfiguration acConfig;
 
     private final PrivilegeManager privilegeManager;
     private final PrincipalManager principalManager;
+    private final PermissionProvider permissionProvider;
     private final RestrictionProvider restrictionProvider;
     private final ReadOnlyNodeTypeManager ntMgr;
 
@@ -96,7 +102,13 @@ public class AccessControlManagerImpl im
 
         privilegeManager = securityProvider.getPrivilegeConfiguration().getPrivilegeManager(root, namePathMapper);
         principalManager = securityProvider.getPrincipalConfiguration().getPrincipalManager(root, namePathMapper);
-        restrictionProvider = securityProvider.getAccessControlConfiguration().getRestrictionProvider(namePathMapper);
+
+        acConfig = securityProvider.getAccessControlConfiguration();
+
+        Subject subject = Subject.getSubject(AccessController.getContext());
+        Set<Principal> principals = (subject != null) ? subject.getPrincipals() : Collections.<Principal>emptySet();
+        permissionProvider = acConfig.getPermissionProvider(root, principals);
+        restrictionProvider = acConfig.getRestrictionProvider(namePathMapper);
         ntMgr = ReadOnlyNodeTypeManager.getInstance(root, namePathMapper);
     }
 
@@ -114,14 +126,12 @@ public class AccessControlManagerImpl im
 
     @Override
     public boolean hasPrivileges(String absPath, Privilege[] privileges) throws RepositoryException {
-        // TODO
-        throw new UnsupportedOperationException("Not yet implemented");
+        return hasPrivileges(absPath, privileges, permissionProvider);
     }
 
     @Override
-    public Privilege[] getPrivileges(String absPath) throws PathNotFoundException, RepositoryException {
-        // TODO
-        throw new UnsupportedOperationException("Not yet implemented");
+    public Privilege[] getPrivileges(String absPath) throws RepositoryException {
+        return getPrivileges(absPath, permissionProvider);
     }
 
     @Override
@@ -130,7 +140,7 @@ public class AccessControlManagerImpl im
         Tree tree = getTree(oakPath);
         AccessControlPolicy policy = createACL(oakPath, tree, false);
         if (policy != null) {
-            return new AccessControlPolicy[] {policy};
+            return new AccessControlPolicy[]{policy};
         } else {
             return new AccessControlPolicy[0];
         }
@@ -259,7 +269,7 @@ public class AccessControlManagerImpl im
         if (aceResult.getSize() > 0) {
             return new JackrabbitAccessControlPolicy[0];
         } else {
-            return new JackrabbitAccessControlPolicy[] {createPrincipalACL(principal, null)};
+            return new JackrabbitAccessControlPolicy[]{createPrincipalACL(principal, null)};
         }
     }
 
@@ -267,7 +277,7 @@ public class AccessControlManagerImpl im
     public JackrabbitAccessControlPolicy[] getPolicies(Principal principal) throws RepositoryException {
         Result aceResult = searchAces(Collections.<Principal>singleton(principal));
         if (aceResult.getSize() > 0) {
-            return new JackrabbitAccessControlPolicy[] {createPrincipalACL(principal, aceResult)};
+            return new JackrabbitAccessControlPolicy[]{createPrincipalACL(principal, aceResult)};
         } else {
             return new JackrabbitAccessControlPolicy[0];
         }
@@ -298,14 +308,14 @@ public class AccessControlManagerImpl im
 
     @Override
     public boolean hasPrivileges(String absPath, Set<Principal> principals, Privilege[] privileges) throws RepositoryException {
-        // TODO
-        throw new UnsupportedOperationException("Not yet implemented");
+        PermissionProvider provider = acConfig.getPermissionProvider(root, principals);
+        return hasPrivileges(absPath, privileges, provider);
     }
 
     @Override
     public Privilege[] getPrivileges(String absPath, Set<Principal> principals) throws RepositoryException {
-        // TODO
-        throw new UnsupportedOperationException("Not yet implemented");
+        PermissionProvider provider = acConfig.getPermissionProvider(root, principals);
+        return getPrivileges(absPath, provider);
     }
 
     //------------------------------------------------------------< private >---
@@ -326,7 +336,7 @@ public class AccessControlManagerImpl im
     private Tree getTree(@Nullable String oakPath) throws RepositoryException {
         Tree tree = (oakPath == null) ? root.getTree("/") : root.getTree(oakPath);
         if (tree == null) {
-            throw new PathNotFoundException("No tree at " +oakPath);
+            throw new PathNotFoundException("No tree at " + oakPath);
         }
         checkPermission(tree);
 
@@ -366,9 +376,8 @@ public class AccessControlManagerImpl im
     }
 
     /**
-     *
      * @param oakPath the Oak path as specified with the ac mgr call.
-     * @param tree the access controlled node.
+     * @param tree    the access controlled node.
      * @return the new acl tree.
      * @throws RepositoryException if an error occurs
      */
@@ -417,8 +426,8 @@ public class AccessControlManagerImpl im
     }
 
     @Nonnull
-    private JackrabbitAccessControlList createPrincipalACL(Principal principal,
-                                                           Result aceResult) throws RepositoryException {
+    private JackrabbitAccessControlList createPrincipalACL(@Nonnull Principal principal,
+                                                           @Nullable Result aceResult) throws RepositoryException {
         if (!(principal instanceof ItemBasedPrincipal)) {
             throw new IllegalArgumentException("Item based principal expected");
         }
@@ -507,6 +516,34 @@ public class AccessControlManagerImpl im
         return privileges;
     }
 
+    @Nonnull
+    private Privilege[] getPrivileges(String absPath, PermissionProvider provider) throws RepositoryException {
+        // TODO
+        String oakPath = getOakPath(absPath);
+        Tree tree = getTree(oakPath);
+        Set<String> pNames = provider.getPrivilegeNames(tree);
+        if (pNames.isEmpty()) {
+            return new Privilege[0];
+        } else {
+            Set<Privilege> privileges = new HashSet<Privilege>(pNames.size());
+            for (String name : pNames) {
+                privileges.add(privilegeManager.getPrivilege(namePathMapper.getJcrName(name)));
+            }
+            return privileges.toArray(new Privilege[privileges.size()]);
+        }
+    }
+
+    private boolean hasPrivileges(String absPath, Privilege[] privileges, PermissionProvider provider) throws RepositoryException {
+        // TODO
+        String oakPath = getOakPath(absPath);
+        Tree tree = getTree(oakPath);
+        Set<String> privilegeNames = new HashSet<String>(privileges.length);
+        for (Privilege privilege : privileges) {
+            privilegeNames.add(namePathMapper.getOakName(privilege.getName()));
+        }
+        return provider.hasPrivileges(tree, privilegeNames.toArray(new String[privilegeNames.size()]));
+    }
+
     @CheckForNull
     private NodeUtil getAclNode(@Nullable String oakPath, @Nonnull Tree accessControlledTree) throws RepositoryException {
         if (isAccessControlled(accessControlledTree, getMixinName(oakPath))) {
@@ -537,7 +574,7 @@ public class AccessControlManagerImpl im
      * @return the name of the ACE node.
      */
     @Nonnull
-    public static String generateAceName(@Nonnull NodeUtil aclNode, boolean isAllow) {
+    private static String generateAceName(@Nonnull NodeUtil aclNode, boolean isAllow) {
         int i = 0;
         String hint = (isAllow) ? "allow" : "deny";
         String aceName = hint;

Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java (from r1439952, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java&r1=1439952&r2=1440540&rev=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlHook.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionHook.java Wed Jan 30 17:33:37 2013
@@ -27,7 +27,7 @@ import org.apache.jackrabbit.oak.spi.sta
  * access control content and updates persisted permission caches associated
  * with access control related data stored in the repository.
  */
-public class AccessControlHook implements CommitHook {
+class PermissionHook implements CommitHook {
 
     @Nonnull
     @Override

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java?rev=1440540&r1=1440539&r2=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionProviderImpl.java Wed Jan 30 17:33:37 2013
@@ -17,47 +17,204 @@
 package org.apache.jackrabbit.oak.security.authorization;
 
 import java.security.Principal;
+import java.util.Collections;
 import java.util.Set;
+import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
-import javax.jcr.security.Privilege;
+import javax.annotation.Nullable;
 
-import org.apache.jackrabbit.oak.spi.security.authorization.AllPermissions;
-import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.api.TreeLocation;
+import org.apache.jackrabbit.oak.api.Type;
+import org.apache.jackrabbit.oak.core.ReadOnlyTree;
+import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.security.authorization.permission.AllPermissions;
+import org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissionImpl;
+import org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions;
+import org.apache.jackrabbit.oak.security.authorization.permission.NoPermissions;
+import org.apache.jackrabbit.oak.spi.security.Context;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
 import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
 import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
-import org.apache.jackrabbit.oak.spi.state.NodeStore;
+import org.apache.jackrabbit.oak.version.VersionConstants;
+import org.apache.jackrabbit.util.Text;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
  * PermissionProviderImpl... TODO
  */
-public class PermissionProviderImpl implements PermissionProvider {
+public class PermissionProviderImpl implements PermissionProvider, AccessControlConstants {
 
-    /**
-     * logger instance
-     */
     private static final Logger log = LoggerFactory.getLogger(PermissionProviderImpl.class);
 
+    private final ReadOnlyTree rootTree;
+    private final SecurityProvider securityProvider;
+
+    private final String workspaceName = "default"; // FIXME: use proper workspace as associated with the root
+
+    private final CompiledPermissions compiledPermissions;
+
+    public PermissionProviderImpl(@Nonnull Root root, @Nonnull Set<Principal> principals,
+                                  @Nonnull SecurityProvider securityProvider) {
+        this(ReadOnlyTree.createFromRoot(root), principals, securityProvider);
+    }
+
+    public PermissionProviderImpl(@Nonnull Tree rootTree, @Nonnull Set<Principal> principals,
+                                  @Nonnull SecurityProvider securityProvider) {
+        this.rootTree = ReadOnlyTree.createFromRootTree(rootTree);
+        this.securityProvider = securityProvider;
+        if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) {
+            compiledPermissions = AllPermissions.getInstance();
+        } else {
+            String relativePath = PERMISSIONS_STORE_PATH + '/' + workspaceName;
+            ReadOnlyTree permissionsTree = getPermissionsRoot(this.rootTree, relativePath);
+            if (permissionsTree == null) {
+                compiledPermissions = NoPermissions.getInstance();
+            } else {
+                compiledPermissions = new CompiledPermissionImpl(permissionsTree, principals);
+            }
+        }
+    }
+
+    @Nonnull
     @Override
-    public Permissions getPermissions(Set<Privilege> privileges) {
+    public Set<String> getPrivilegeNames(@Nullable Tree tree) {
         // TODO
-        throw new UnsupportedOperationException("not yet implemented.");
+        return Collections.emptySet();
     }
 
-    @Nonnull
     @Override
-    public CompiledPermissions getCompiledPermissions(NodeStore nodeStore, Set<Principal> principals) {
-        if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) {
-            return AllPermissions.getInstance();
+    public boolean hasPrivileges(@Nullable Tree tree, String... privilegeNames) {
+        // TODO
+        return false;
+    }
+
+    @Override
+    public boolean canRead(@Nonnull Tree tree) {
+        if (getAccessControlContext().definesTree(tree)) {
+            return compiledPermissions.isGranted(Permissions.READ_ACCESS_CONTROL, tree);
+        } else if (isVersionContent(tree)) {
+            // TODO: add proper implementation
+            Tree versionableTree = getVersionableTree(tree);
+            return versionableTree != null && compiledPermissions.canRead(versionableTree);
+        } else {
+            return compiledPermissions.canRead(tree);
+        }
+    }
+
+    @Override
+    public boolean canRead(@Nonnull Tree tree, @Nonnull PropertyState property) {
+        if (getAccessControlContext().definesTree(tree)) {
+            return compiledPermissions.isGranted(Permissions.READ_ACCESS_CONTROL, tree, property);
+        } else if (isVersionContent(tree)) {
+            // TODO: add proper implementation
+            Tree versionableTree = getVersionableTree(tree);
+            return versionableTree != null && compiledPermissions.canRead(versionableTree, property);
+        } else {
+            return compiledPermissions.canRead(tree, property);
+        }
+    }
+
+    @Override
+    public boolean isGranted(long permissions) {
+        return compiledPermissions.isGranted(permissions);
+    }
+
+    @Override
+    public boolean isGranted(@Nonnull Tree tree, long permissions) {
+        if (Permissions.includes(permissions, Permissions.VERSION_MANAGEMENT)) {
+            // FIXME: path to check for permission must be adjusted to be
+            // FIXME: the one of the versionable node instead of the target parent in case of version-store is affected.
+        } else if (Permissions.includes(permissions, Permissions.READ_NODE)) {
+            // TODO
+        }
+
+        return compiledPermissions.isGranted(permissions, tree);
+    }
+
+    @Override
+    public boolean isGranted(@Nonnull Tree parent, @Nonnull PropertyState property, long permissions) {
+        if (Permissions.includes(permissions, Permissions.VERSION_MANAGEMENT)) {
+            // FIXME: path to check for permission must be adjusted to be
+            // FIXME: the one of the versionable node instead of the target parent in case of version-store is affected.
+        } else if (Permissions.includes(permissions, Permissions.READ_PROPERTY)) {
+            // TODO
+        }
+
+        return compiledPermissions.isGranted(permissions, parent, property);
+    }
+
+    @Override
+    public boolean hasPermission(@Nonnull String oakPath, String jcrActions) {
+        TreeLocation location = rootTree.getLocation().getChild(oakPath.substring(1));
+        long permissions = Permissions.getPermissions(jcrActions, location);
+
+        // TODO
+        return false;
+    }
+
+    @Override
+    public long getPermission(@Nonnull Tree tree, long defaultPermission) {
+        String path = tree.getPath();
+        long permission;
+        if (isNamespaceDefinition(path)) {
+            permission = Permissions.NAMESPACE_MANAGEMENT;
+        } else if (isNodeTypeDefinition(path)) {
+            permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
+        } else if (isVersionContent(tree)) {
+            permission = Permissions.VERSION_MANAGEMENT;
+        } else if (getPrivilegeContext().definesTree(tree)) {
+            permission = Permissions.PRIVILEGE_MANAGEMENT;
+        } else if (getAccessControlContext().definesTree(tree)) {
+            permission = Permissions.MODIFY_ACCESS_CONTROL;
+        } else if (getUserContext().definesTree(tree)) {
+            permission = Permissions.USER_MANAGEMENT;
         } else {
-            return new CompiledPermissionImpl(nodeStore, principals);
+            // TODO  - workspace management
+            // TODO: identify renaming/move of nodes that only required MODIFY_CHILD_NODE_COLLECTION permission
+            permission = defaultPermission;
         }
+        return permission;
+    }
+
+    @Override
+    public long getPermission(@Nonnull Tree parent, @Nonnull PropertyState propertyState, long defaultPermission) {
+        String parentPath = parent.getPath();
+        String name = propertyState.getName();
+
+        long permission;
+        if (JcrConstants.JCR_PRIMARYTYPE.equals(name) || JcrConstants.JCR_MIXINTYPES.equals(name)) {
+            // FIXME: distinguish between autocreated and user-supplied modification (?)
+            permission = Permissions.NODE_TYPE_MANAGEMENT;
+        } else if (isLockProperty(name)) {
+            permission = Permissions.LOCK_MANAGEMENT;
+        } else if (isNamespaceDefinition(parentPath)) {
+            permission = Permissions.NAMESPACE_MANAGEMENT;
+        } else if (isNodeTypeDefinition(parentPath)) {
+            permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
+        } else if (isVersionProperty(parent, propertyState)) {
+            permission = Permissions.VERSION_MANAGEMENT;
+        } else if (getPrivilegeContext().definesProperty(parent, propertyState)) {
+            permission = Permissions.PRIVILEGE_MANAGEMENT;
+        } else if (getAccessControlContext().definesProperty(parent, propertyState)) {
+            permission = Permissions.MODIFY_ACCESS_CONTROL;
+        } else if (getUserContext().definesProperty(parent, propertyState)) {
+            permission = Permissions.USER_MANAGEMENT;
+        } else {
+            permission = defaultPermission;
+        }
+        return permission;
     }
 
     //--------------------------------------------------------------------------
+
     private static boolean isAdmin(Set<Principal> principals) {
         for (Principal principal : principals) {
             if (principal instanceof AdminPrincipal) {
@@ -66,4 +223,90 @@ public class PermissionProviderImpl impl
         }
         return false;
     }
+
+    @CheckForNull
+    private static ReadOnlyTree getPermissionsRoot(ReadOnlyTree rootTree, String relativePath) {
+        Tree tree = rootTree.getLocation().getChild(relativePath).getTree();
+        return (tree == null) ? null : (ReadOnlyTree) tree;
+    }
+
+    @CheckForNull
+    private Tree getVersionableTree(Tree versionStoreTree) {
+        String locationPath = workspaceName + '/' + REP_VERSIONABLE_PATH;
+        String versionablePath = null;
+        Tree t = versionStoreTree;
+        while (versionablePath == null && !JcrConstants.JCR_VERSIONSTORAGE.equals(t.getName())) {
+            if (t.hasChild(REP_VERSIONABLE_INFO)) {
+                PropertyState prop = t.getLocation().getChild(locationPath).getProperty();
+                if (prop != null) {
+                    versionablePath = prop.getValue(Type.PATH);
+                }
+            }
+            t = t.getParent();
+        }
+        if (versionablePath == null || versionablePath.isEmpty()) {
+            log.warn("Unable to determine path of the versionable node.");
+            return null;
+        } else {
+            String relPath = versionablePath.substring(1);
+            return rootTree.getLocation().getChild(relPath).getTree();
+        }
+    }
+
+    // FIXME: versionable-info not detected
+    private static boolean isVersionContent(Tree tree) {
+        if (tree.isRoot()) {
+            return false;
+        }
+        if (VersionConstants.VERSION_NODE_NAMES.contains(tree.getName())) {
+            return true;
+        } else if (VersionConstants.VERSION_NODE_TYPE_NAMES.contains(getPrimaryTypeName(tree))) {
+            return true;
+        } else {
+            String path = tree.getPath();
+            return VersionConstants.SYSTEM_PATHS.contains(Text.getAbsoluteParent(path, 1));
+        }
+    }
+
+    // FIXME: versionable-info not detected
+    private static boolean isVersionProperty(Tree parent, PropertyState property) {
+        if (VersionConstants.VERSION_PROPERTY_NAMES.contains(property.getName())) {
+            return true;
+        } else {
+            return isVersionContent(parent);
+        }
+    }
+
+    private static boolean isLockProperty(String name) {
+        return JcrConstants.JCR_LOCKISDEEP.equals(name) || JcrConstants.JCR_LOCKOWNER.equals(name);
+    }
+
+    private static boolean isNamespaceDefinition(String path) {
+        return Text.isDescendant(NamespaceConstants.NAMESPACES_PATH, path);
+    }
+
+    private static boolean isNodeTypeDefinition(String path) {
+        return Text.isDescendant(NodeTypeConstants.NODE_TYPES_PATH, path);
+    }
+
+    private Context getUserContext() {
+        return securityProvider.getUserConfiguration().getContext();
+    }
+
+    private Context getPrivilegeContext() {
+        return securityProvider.getPrivilegeConfiguration().getContext();
+    }
+
+    private Context getAccessControlContext() {
+        return securityProvider.getAccessControlConfiguration().getContext();
+    }
+
+    private static String getPrimaryTypeName(Tree tree) {
+        PropertyState property = tree.getProperty(JcrConstants.JCR_PRIMARYTYPE);
+        if (property != null && !property.isArray()) {
+            return property.getValue(Type.STRING);
+        } else {
+            return null;
+        }
+    }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java?rev=1440540&r1=1440539&r2=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidator.java Wed Jan 30 17:33:37 2013
@@ -16,21 +16,16 @@
  */
 package org.apache.jackrabbit.oak.security.authorization;
 
+import javax.annotation.Nullable;
 import javax.jcr.AccessDeniedException;
 
-import org.apache.jackrabbit.JcrConstants;
 import org.apache.jackrabbit.oak.api.CommitFailedException;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
-import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
-import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
 import org.apache.jackrabbit.oak.spi.commit.Validator;
-import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
-import org.apache.jackrabbit.oak.util.NodeUtil;
-import org.apache.jackrabbit.oak.version.VersionConstants;
-import org.apache.jackrabbit.util.Text;
 
 import static com.google.common.base.Preconditions.checkNotNull;
 
@@ -45,22 +40,22 @@ class PermissionValidator implements Val
      * - review usage of OAK_CHILD_ORDER property (in particular if the property was removed
      */
 
-    private final NodeUtil parentBefore;
-    private final NodeUtil parentAfter;
-    private final CompiledPermissions compiledPermissions;
+    private final Tree parentBefore;
+    private final Tree parentAfter;
+    private final PermissionProvider permissionProvider;
     private final PermissionValidatorProvider provider;
 
-    PermissionValidator(NodeUtil parentBefore, NodeUtil parentAfter,
-                        CompiledPermissions compiledPermissions,
+    PermissionValidator(Tree parentBefore, Tree parentAfter,
+                        PermissionProvider permissionProvider,
                         PermissionValidatorProvider provider) {
-        this.compiledPermissions = compiledPermissions;
+        this.permissionProvider = permissionProvider;
         this.parentBefore = parentBefore;
         this.parentAfter = parentAfter;
         this.provider = provider;
     }
 
-    private Validator nextValidator(NodeUtil parentBefore, NodeUtil parentAfter) {
-        return new PermissionValidator(parentBefore, parentAfter, compiledPermissions, provider);
+    private Validator nextValidator(@Nullable Tree parentBefore, @Nullable Tree parentAfter) {
+        return new PermissionValidator(parentBefore, parentAfter, permissionProvider, provider);
     }
 
     //----------------------------------------------------------< Validator >---
@@ -81,14 +76,14 @@ class PermissionValidator implements Val
 
     @Override
     public Validator childNodeAdded(String name, NodeState after) throws CommitFailedException {
-        NodeUtil child = parentAfter.getChild(name);
+        Tree child = parentAfter.getChild(name);
         return checkPermissions(child, false, Permissions.ADD_NODE);
     }
 
     @Override
     public Validator childNodeChanged(String name, NodeState before, NodeState after) throws CommitFailedException {
-        NodeUtil childBefore = parentBefore.getChild(name);
-        NodeUtil childAfter = parentAfter.getChild(name);
+        Tree childBefore = parentBefore.getChild(name);
+        Tree childAfter = parentAfter.getChild(name);
 
         // TODO
 
@@ -97,135 +92,35 @@ class PermissionValidator implements Val
 
     @Override
     public Validator childNodeDeleted(String name, NodeState before) throws CommitFailedException {
-        NodeUtil child = parentBefore.getChild(name);
+        Tree child = parentBefore.getChild(name);
         return checkPermissions(child, true, Permissions.REMOVE_NODE);
     }
 
     //------------------------------------------------------------< private >---
-    private void checkPermissions(NodeUtil parent, PropertyState property, int defaultPermission) throws CommitFailedException {
-        Tree parentTree = parent.getTree();
-        String parentPath = parentTree.getPath();
-        String name = property.getName();
-
-        int permission;
-        if (JcrConstants.JCR_PRIMARYTYPE.equals(name) || JcrConstants.JCR_MIXINTYPES.equals(name)) {
-            // TODO: distinguish between autocreated and user-supplied modification (?)
-            permission = Permissions.NODE_TYPE_MANAGEMENT;
-        } else if (isLockProperty(name)) {
-            permission = Permissions.LOCK_MANAGEMENT;
-        } else if (isNamespaceDefinition(parentPath)) {
-            permission = Permissions.NAMESPACE_MANAGEMENT;
-        } else if (isNodeTypeDefinition(parentPath)) {
-            permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
-        } else if (isVersionProperty(parent, property)) {
-            permission = Permissions.VERSION_MANAGEMENT;
-            // FIXME: path to check for permission must be adjusted to be
-            // FIXME: the one of the versionable node instead of the target parent in case of version-store is affected.
-        } else if (provider.getPrivilegeContext().definesProperty(parentTree, property)) {
-            permission = Permissions.PRIVILEGE_MANAGEMENT;
-        } else if (provider.getAccessControlContext().definesProperty(parentTree, property)) {
-            permission = Permissions.MODIFY_ACCESS_CONTROL;
-        } else if (provider.getUserContext().definesProperty(parentTree, property)) {
-            permission = Permissions.USER_MANAGEMENT;
-        } else {
-            permission = defaultPermission;
-        }
-
-        checkPermissions(parentTree, property, permission);
-    }
 
-    private Validator checkPermissions(NodeUtil node, boolean isBefore, int defaultPermission) throws CommitFailedException {
-        checkNotNull(node);
-
-        Tree tree = node.getTree();
-        String path = tree.getPath();
-        int permission;
-
-        if (isNamespaceDefinition(path)) {
-            permission = Permissions.NAMESPACE_MANAGEMENT;
-        } else if (isNodeTypeDefinition(path)) {
-            permission = Permissions.NODE_TYPE_DEFINITION_MANAGEMENT;
-        } else if (isVersion(node)) {
-            permission = Permissions.VERSION_MANAGEMENT;
-            // FIXME: path to check for permission must be adjusted to be
-            // FIXME: the one of the versionable node instead of the target parent in case of version-store is affected.
-        } else if (provider.getPrivilegeContext().definesTree(tree)) {
-            permission = Permissions.PRIVILEGE_MANAGEMENT;
-        } else if (provider.getAccessControlContext().definesTree(tree)) {
-            permission = Permissions.MODIFY_ACCESS_CONTROL;
-        } else if (provider.getUserContext().definesTree(tree)) {
-            permission = Permissions.USER_MANAGEMENT;
-        } else {
-            // TODO: identify specific permission depending on additional types of protection
-            // TODO  - workspace management
-
-            // TODO: identify renaming/move of nodes that only required MODIFY_CHILD_NODE_COLLECTION permission
-            permission = defaultPermission;
-        }
+    private Validator checkPermissions(Tree tree, boolean isBefore, long defaultPermission) throws CommitFailedException {
+        checkNotNull(tree);
 
+        long permission = permissionProvider.getPermission(tree, defaultPermission);
         if (Permissions.isRepositoryPermission(permission)) {
-            checkPermissions(permission);
+            if (!permissionProvider.isGranted(permission)) {
+                throw new CommitFailedException(new AccessDeniedException());
+            }
             return null; // no need for further validation down the subtree
         } else {
-            checkPermissions(tree, permission);
+            if (!permissionProvider.isGranted(tree, permission)) {
+                throw new CommitFailedException(new AccessDeniedException());
+            }
             return (isBefore) ?
-                    nextValidator(node, null) :
-                    nextValidator(null, node);
-        }
-    }
-
-    private void checkPermissions(int permissions) throws CommitFailedException {
-        if (!compiledPermissions.isGranted(permissions))    {
-            throw new CommitFailedException(new AccessDeniedException());
-        }
-    }
-
-    private void checkPermissions(Tree tree, int permissions) throws CommitFailedException {
-        if (!compiledPermissions.isGranted(tree, permissions))    {
-            throw new CommitFailedException(new AccessDeniedException());
+                    nextValidator(tree, null) :
+                    nextValidator(null, tree);
         }
     }
 
-    private void checkPermissions(Tree parent, PropertyState property, int permissions) throws CommitFailedException {
-        if (!compiledPermissions.isGranted(parent, property, permissions))    {
+    private void checkPermissions(Tree parent, PropertyState property, long defaultPermission) throws CommitFailedException {
+        long permission = permissionProvider.getPermission(parent, property, defaultPermission);
+        if (!permissionProvider.isGranted(parent, property, permission)) {
             throw new CommitFailedException(new AccessDeniedException());
         }
     }
-
-    private static boolean isVersion(NodeUtil node) {
-        if (node.getTree().isRoot()) {
-            return false;
-        }
-        // TODO: review again
-        if (VersionConstants.VERSION_NODE_NAMES.contains(node.getName())) {
-            return true;
-        } else if (VersionConstants.VERSION_NODE_TYPE_NAMES.contains(node.getName(JcrConstants.JCR_PRIMARYTYPE))) {
-            return true;
-        } else {
-            String path = node.getTree().getPath();
-            return VersionConstants.SYSTEM_PATHS.contains(Text.getAbsoluteParent(path, 1));
-        }
-    }
-
-    private static boolean isVersionProperty(NodeUtil parent, PropertyState property) {
-        // TODO: review again
-        if (VersionConstants.VERSION_PROPERTY_NAMES.contains(property.getName())) {
-            return true;
-        } else {
-            return isVersion(parent);
-        }
-    }
-
-    private static boolean isLockProperty(String name) {
-        return JcrConstants.JCR_LOCKISDEEP.equals(name) || JcrConstants.JCR_LOCKOWNER.equals(name);
-    }
-
-    private static boolean isNamespaceDefinition(String path) {
-        // TODO: depends on pluggable module
-        return Text.isDescendant(NamespaceConstants.NAMESPACES_PATH, path);
-    }
-    private static boolean isNodeTypeDefinition(String path) {
-        // TODO: depends on pluggable module
-        return Text.isDescendant(NodeTypeConstants.NODE_TYPES_PATH, path);
-    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java?rev=1440540&r1=1440539&r2=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/PermissionValidatorProvider.java Wed Jan 30 17:33:37 2013
@@ -24,26 +24,21 @@ import javax.annotation.Nonnull;
 import javax.security.auth.Subject;
 
 import org.apache.jackrabbit.oak.core.ReadOnlyTree;
-import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.spi.commit.Validator;
 import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
-import org.apache.jackrabbit.oak.spi.security.Context;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
-import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
 import org.apache.jackrabbit.oak.spi.state.NodeState;
-import org.apache.jackrabbit.oak.util.NodeUtil;
 
 /**
  * PermissionValidatorProvider... TODO
  */
 class PermissionValidatorProvider implements ValidatorProvider {
 
-    private final SecurityProvider securityProvider;
     private final AccessControlConfiguration acConfiguration;
 
     PermissionValidatorProvider(SecurityProvider securityProvider) {
-        this.securityProvider = securityProvider;
         this.acConfiguration = securityProvider.getAccessControlConfiguration();
     }
 
@@ -53,23 +48,10 @@ class PermissionValidatorProvider implem
     public Validator getRootValidator(NodeState before, NodeState after) {
         Subject subject = Subject.getSubject(AccessController.getContext());
         Set<Principal> principals = (subject != null) ? subject.getPrincipals() : Collections.<Principal>emptySet();
-        CompiledPermissions permissions = acConfiguration.getPermissionProvider(NamePathMapper.DEFAULT).getCompiledPermissions(/*TODO*/null, principals);
 
-        NodeUtil rootBefore = new NodeUtil(new ReadOnlyTree(before));
-        NodeUtil rootAfter = new NodeUtil(new ReadOnlyTree(after));
-        return new PermissionValidator(rootBefore, rootAfter, permissions, this);
-    }
-
-    //-----------------------------------------------------------< internal >---
-    Context getUserContext() {
-        return securityProvider.getUserConfiguration().getContext();
-    }
-
-    Context getPrivilegeContext() {
-        return securityProvider.getPrivilegeConfiguration().getContext();
-    }
+        ReadOnlyTree beforeTree = new ReadOnlyTree(before);
+        PermissionProvider pp = acConfiguration.getPermissionProvider(beforeTree, principals);
 
-    Context getAccessControlContext() {
-        return acConfiguration.getContext();
+        return new PermissionValidator(beforeTree, new ReadOnlyTree(after), pp, this);
     }
 }

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java?rev=1440540&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/TmpPermissionProvider.java Wed Jan 30 17:33:37 2013
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization;
+
+import java.security.Principal;
+import java.util.Set;
+import javax.annotation.Nonnull;
+
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
+import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
+import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
+
+/**
+ * TmpPermissionProvider... TODO remove again once permission evaluation works.
+ */
+class TmpPermissionProvider extends PermissionProviderImpl {
+
+    private final boolean isAdmin;
+
+    public TmpPermissionProvider(@Nonnull Root root, @Nonnull Set<Principal> principals, @Nonnull SecurityProvider securityProvider) {
+        super(root, principals, securityProvider);
+        isAdmin = principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals);
+    }
+
+    public TmpPermissionProvider(@Nonnull Tree rootTree, @Nonnull Set<Principal> principals, @Nonnull SecurityProvider securityProvider) {
+        super(rootTree, principals, securityProvider);
+        isAdmin = principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals);
+    }
+
+    @Override
+    public boolean canRead(@Nonnull Tree tree) {
+        return true;
+    }
+
+    @Override
+    public boolean canRead(@Nonnull Tree tree, @Nonnull PropertyState property) {
+        return true;
+    }
+
+    @Override
+    public boolean isGranted(long permissions) {
+        if (isAdmin) {
+            return true;
+        } else {
+            return permissions == Permissions.READ;
+        }
+    }
+
+    @Override
+    public boolean isGranted(@Nonnull Tree tree, long permissions) {
+        if (isAdmin) {
+            return true;
+        } else {
+            return permissions == Permissions.READ_NODE;
+        }
+    }
+
+    @Override
+    public boolean isGranted(@Nonnull Tree parent, @Nonnull PropertyState property, long permissions) {
+        if (isAdmin) {
+            return true;
+        } else {
+            return permissions == Permissions.READ_PROPERTY;
+        }
+    }
+
+    private static boolean isAdmin(Set<Principal> principals) {
+        for (Principal principal : principals) {
+            if (principal instanceof AdminPrincipal) {
+                return true;
+            }
+        }
+        return false;
+    }
+}
\ No newline at end of file

Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java (from r1439952, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AllPermissions.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AllPermissions.java&r1=1439952&r2=1440540&rev=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AllPermissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/AllPermissions.java Wed Jan 30 17:33:37 2013
@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.jackrabbit.oak.spi.security.authorization;
+package org.apache.jackrabbit.oak.security.authorization.permission;
 
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
@@ -26,7 +26,8 @@ public final class AllPermissions implem
 
     private static final CompiledPermissions INSTANCE = new AllPermissions();
 
-    private AllPermissions() {}
+    private AllPermissions() {
+    }
 
     public static CompiledPermissions getInstance() {
         return INSTANCE;
@@ -43,17 +44,17 @@ public final class AllPermissions implem
     }
 
     @Override
-    public boolean isGranted(int permissions) {
+    public boolean isGranted(long permissions) {
         return true;
     }
 
     @Override
-    public boolean isGranted(Tree tree, int permissions) {
+    public boolean isGranted(long permissions, Tree tree) {
         return true;
     }
 
     @Override
-    public boolean isGranted(Tree parent, PropertyState property, int permissions) {
+    public boolean isGranted(long permissions, Tree parent, PropertyState property) {
         return true;
     }
 }
\ No newline at end of file

Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (from r1440499, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java&r1=1440499&r2=1440540&rev=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/CompiledPermissionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java Wed Jan 30 17:33:37 2013
@@ -14,54 +14,129 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.jackrabbit.oak.security.authorization;
+package org.apache.jackrabbit.oak.security.authorization.permission;
 
 import java.security.Principal;
+import java.security.acl.Group;
+import java.util.List;
+import java.util.Map;
 import java.util.Set;
+import javax.annotation.Nonnull;
 
+import com.google.common.collect.ImmutableSortedMap;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
-import org.apache.jackrabbit.oak.spi.security.authorization.CompiledPermissions;
+import org.apache.jackrabbit.oak.core.ReadOnlyTree;
+import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
-import org.apache.jackrabbit.oak.spi.state.NodeStore;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.apache.jackrabbit.util.Text;
+
+import static com.google.common.base.Preconditions.checkNotNull;
 
 /**
  * TODO
  */
-class CompiledPermissionImpl implements CompiledPermissions {
+public class CompiledPermissionImpl implements CompiledPermissions, AccessControlConstants {
+
+    private final ReadOnlyTree permissionsTree;
+    private final Set<Principal> principals;
 
-    CompiledPermissionImpl(NodeStore nodeStore, Set<Principal> principals) {
+    private Map<Key, Entry> userEntries;
+    private Map<Key, Entry> groupEntries;
 
+    public CompiledPermissionImpl(@Nonnull ReadOnlyTree permissionsTree, @Nonnull Set<Principal> principals) {
+        this.permissionsTree = permissionsTree;
+        this.principals = checkNotNull(principals);
+
+        EntriesBuilder builder = new EntriesBuilder();
+        for (Principal principal : principals) {
+            Tree t = permissionsTree.getChild(Text.escapeIllegalJcrChars(principal.getName()));
+            builder.addEntry(principal, t);
+        }
+        userEntries = builder.userEntries.build();
+        groupEntries = builder.groupEntries.build();
     }
 
     @Override
     public boolean canRead(Tree tree) {
-        // TODO
-        return true;
+        return isGranted(Permissions.READ_NODE, tree);
     }
 
     @Override
     public boolean canRead(Tree tree, PropertyState property) {
-        // TODO
-        return true;
+        return isGranted(Permissions.READ_PROPERTY, tree, property);
     }
 
     @Override
-    public boolean isGranted(int permissions) {
+    public boolean isGranted(long permissions) {
         // TODO
         return false;
     }
 
     @Override
-    public boolean isGranted(Tree tree, int permissions) {
+    public boolean isGranted(long permissions, Tree tree) {
         // TODO
-        return (permissions == Permissions.READ_NODE);
+        return false;
     }
 
     @Override
-    public boolean isGranted(Tree parent, PropertyState property, int permissions) {
+    public boolean isGranted(long permissions, Tree parent, PropertyState property) {
         // TODO
-        return (permissions == Permissions.READ_PROPERTY);
+        return false;
     }
 
+    //------------------------------------------------------------< private >---
+
+    private static final class Key implements Comparable<Key> {
+
+        private String path;
+        private long order;
+
+        private Key(NodeUtil node) {
+            path = node.getString("path", "");
+            order = node.getLong("order", -1);
+        }
+
+        @Override
+        public int compareTo(Key key) {
+            // TODO
+            return 0;
+        }
+    }
+
+    private static final class Entry {
+
+        private final boolean isAllow;
+        private final String[] privilegeNames;
+        private final List<String> restrictions;
+        private final long permissions;
+
+        Entry(NodeUtil node) {
+            isAllow = node.hasPrimaryNodeTypeName(NT_REP_GRANT_ACE);
+            privilegeNames = node.getStrings(REP_PRIVILEGES);
+            restrictions = null; // TODO
+
+            permissions = node.getLong("permissions", Permissions.NO_PERMISSION);
+        }
+    }
+
+    private static final class EntriesBuilder {
+
+        ImmutableSortedMap.Builder<Key, Entry> userEntries = ImmutableSortedMap.naturalOrder();
+        ImmutableSortedMap.Builder<Key, Entry> groupEntries = ImmutableSortedMap.naturalOrder();
+
+        private void addEntry(Principal principal, Tree entryTree) {
+            NodeUtil node = new NodeUtil(entryTree);
+            Entry entry = new Entry(node);
+            if (entry.permissions != Permissions.NO_PERMISSION) {
+                Key key = new Key(node);
+                if (principal instanceof Group) {
+                    groupEntries.put(key, entry);
+                } else {
+                    userEntries.put(key, entry);
+                }
+            }
+        }
+    }
 }

Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java (from r1439952, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompiledPermissions.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompiledPermissions.java&r1=1439952&r2=1440540&rev=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/CompiledPermissions.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissions.java Wed Jan 30 17:33:37 2013
@@ -14,7 +14,9 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.jackrabbit.oak.spi.security.authorization;
+package org.apache.jackrabbit.oak.security.authorization.permission;
+
+import javax.annotation.Nonnull;
 
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
@@ -24,14 +26,14 @@ import org.apache.jackrabbit.oak.api.Tre
  */
 public interface CompiledPermissions {
 
-    boolean canRead(Tree tree);
+    boolean canRead(@Nonnull Tree tree);
 
-    boolean canRead(Tree tree, PropertyState property);
+    boolean canRead(@Nonnull Tree tree, @Nonnull PropertyState property);
 
-    boolean isGranted(int permissions);
+    boolean isGranted(long permissions);
 
-    boolean isGranted(Tree tree, int permissions);
+    boolean isGranted(long permissions, @Nonnull Tree tree);
 
-    boolean isGranted(Tree parent, PropertyState property, int permissions);
+    boolean isGranted(long permissions, @Nonnull Tree parent, @Nonnull PropertyState property);
 
 }

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java?rev=1440540&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/NoPermissions.java Wed Jan 30 17:33:37 2013
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization.permission;
+
+import javax.annotation.Nonnull;
+
+import org.apache.jackrabbit.oak.api.PropertyState;
+import org.apache.jackrabbit.oak.api.Tree;
+
+/**
+ * NoPermissions... TODO
+ */
+public final class NoPermissions implements CompiledPermissions {
+
+    private static final CompiledPermissions INSTANCE = new NoPermissions();
+
+    private NoPermissions() {
+    }
+
+    public static final CompiledPermissions getInstance() {
+        return INSTANCE;
+    }
+
+    @Override
+    public boolean canRead(@Nonnull Tree tree) {
+        return false;
+    }
+
+    @Override
+    public boolean canRead(@Nonnull Tree tree, @Nonnull PropertyState property) {
+        return false;
+    }
+
+    @Override
+    public boolean isGranted(long permissions) {
+        return false;
+    }
+
+    @Override
+    public boolean isGranted(long permissions, @Nonnull Tree tree) {
+        return false;
+    }
+
+    @Override
+    public boolean isGranted(long permissions, @Nonnull Tree parent, @Nonnull PropertyState property) {
+        return false;
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java?rev=1440540&r1=1440539&r2=1440540&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionDefinitionImpl.java Wed Jan 30 17:33:37 2013
@@ -28,7 +28,7 @@ import static com.google.common.base.Pre
 /**
  * RestrictionDefinitionImpl... TODO
  */
-public class RestrictionDefinitionImpl implements RestrictionDefinition {
+class RestrictionDefinitionImpl implements RestrictionDefinition {
 
     private final String name;
     private final int type;
@@ -38,15 +38,15 @@ public class RestrictionDefinitionImpl i
     /**
      * Create a new instance.
      *
-     * @param name The oak name of the restriction definition.
-     * @param type The required type of this definition. Any valid JCR
-     * {@link javax.jcr.PropertyType} except {@link javax.jcr.PropertyType#UNDEFINED}
-     * is allowed.
-     * @param isMandatory A boolean indicating if the restriction is mandatory.
+     * @param name           The oak name of the restriction definition.
+     * @param type           The required type of this definition. Any valid JCR
+     *                       {@link javax.jcr.PropertyType} except {@link javax.jcr.PropertyType#UNDEFINED}
+     *                       is allowed.
+     * @param isMandatory    A boolean indicating if the restriction is mandatory.
      * @param namePathMapper The name path mapper used to calculate the JCR name.
      */
-    public RestrictionDefinitionImpl(@Nonnull String name, int type, boolean isMandatory,
-                                     @Nonnull NamePathMapper namePathMapper) {
+    RestrictionDefinitionImpl(@Nonnull String name, int type, boolean isMandatory,
+                              @Nonnull NamePathMapper namePathMapper) {
         this.name = checkNotNull(name);
         if (type == PropertyType.UNDEFINED) {
             throw new IllegalArgumentException("'undefined' is not a valid required definition type.");



Mime
View raw message